Hi ,Iam facing issue in calculating time difference with two timestamp fields in the same xml event. The difference field is always coming as spaces if I use the below query.Please advise if there is any change required in conf file to calculate the timestamp difference
Search query
sourcetype="SOURCEA" "History.rowdata.StageName"="stage A" | spath output=StartTime path=ProcessHistory.rowdata.ProcessStartTime |spath output=EndTime path=History.rowdata.ProcessCompleteTime | eval CapturedStartTime = strptime(StartTime,"%Y%m%dT%H%M%S.%3N GMT") |eval CapturedEndTime = strptime(EndTime,"%Y%m%dT%H%M%S.%3N GMT") |eval Duration = CapturedEndTime - CapturedStartTime | table ActivityCd StartTime EndTime CapturedStartTime CapturedEndTime Duration
>>Completed >stage A >20160126T193403.622> GMT >20160126T193403.632> GMT >Completed >stage A >20160126T193359.815> GMT >20160126T193359.915> GMT
↧